True- but those sites aren't handling money (and if they are, I certainly won't use them). Given the immutable nature of crypto transactions, base security is pretty key- and it's not there as a common practice. It's not exactly hard either- it's a few headers, and a bit of testing- My own site gets A+, and it took no work whatsoever beyond getting hashes of the Javascripts running on the page, and specifying any external sources for images, scripts, etc- added bonus is that I know if anyone changes anything that could hurt our site.